The research arm of Menlo Security, Menlo Labs is warning people of the re-emergence of HTML smuggling. By this malicious activity, hackers bypass perimeter security to attack the victims’ machines directly. The news was shared by Menlo along with a case of HTML smuggling they identified. The HTML smuggling campaign which they named ISOMorph used the same technique as the SolarWinds attackers.
The ISOMorph uses HTML smuggling for their initial attack on the victim’s device. This method enables the ‘smuggler’ to bypass the perimeter security. After the dropper gets installed on the victim’s device, it attacks the payload and will in turn attack the device with remote access trojans (RATs). These trojans will permit the attacker to control the device and also move on the attacked network.
In this attacking method, some of the basic features of HTML5 and JavaScript on the web browsers are exploited. It allows HTML5 to download a malicious file that looks like a real one. JavaScript is also exploited similarly. The network security cannot identify them as malicious because files will be created only when they reach the target computer. The malicious code can be hidden from the network security easily.
The extent of the danger HTML smuggling possesses becomes larger now because of the widespread remote work and the cloud hosting of everyday work tools. This is all done through browsers that are prone to attacks like HTML smuggling. Companies need to identify these threats as real and should develop mechanisms to prevent such types of attacks.
A UK based cybersecurity firm SecureTeam gives out the following instructions to be secure against HTML smuggling and other types of perimeter security breaches;
- Network segmentation will help limit the lateral movement of the attacker.
- Services like Microsoft Windows Attack Surface Reduction will protect devices at the OS level and identify malicious codes.
- Make sure that the firewall is blocking traffic from known suspicious domains and IP addresses.
